Experiment 2: Wireshark as a Network Protocol Analyzer

Similar documents
Sirindhorn International Institute of Technology Thammasat University

Lab Capturing and Analyzing Network Traffic

Muhammad Farooq-i-Azam CHASE-2006 Lahore

BSc Year 2 Data Communications Lab - Using Wireshark to View Network Traffic. Topology. Objectives. Background / Scenario

TCP /IP Fundamentals Mr. Cantu

King Fahd University of Petroleum & Minerals. Data Traffic Capture and Protocols Analysis using Sniffer Tool

Internetworking models

Lab Using Wireshark to Examine Ethernet Frames

Lab Using Wireshark to Examine Ethernet Frames

UNI CS 3470 Networking Project 5: Using Wireshark to Analyze Packet Traces 12

HPE Knowledge Article

Protocol Analysis: Capturing Packets

Lab - Using Wireshark to Examine TCP and UDP Captures

Lab: 2. Wireshark Getting Started

9. Wireshark I: Protocol Stack and Ethernet

Hands-On Hacking Techniques 101

University of Toronto Faculty of Applied Science and Engineering. Final Exam, December ECE 461: Internetworking Examiner: J.

COMP2330 Data Communications and Networking

Protocol Layers & Wireshark TDTS11:COMPUTER NETWORKS AND INTERNET PROTOCOLS

A Simple Network Analyzer Decoding TCP, UDP, DNS and DHCP headers

Review of Important Networking Concepts

Protocol Analysis: Capturing Packets

Computer Networks A Simple Network Analyzer PART A undergraduates and graduates PART B graduate students only

Wireshark Lab: Getting Started

Lab 4: Network Packet Capture and Analysis using Wireshark

Wireshark Lab: Getting Started

Introduction to Internet. Ass. Prof. J.Y. Tigli University of Nice Sophia Antipolis

University of Maryland Baltimore County Department of Information Systems Spring 2015

ICS 351: Networking Protocols

TCP/IP Networking Basics

Introduction to TCP/IP networking

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

Cisco Nexus 7000 Series Architecture: Built-in Wireshark Capability for Network Visibility and Control

DKT 224/3 LAB 2 NETWORK PROTOCOL ANALYZER DATA COMMUNICATION & NETWORK SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK

Computer Networks/DV2 Lab

Lab - Using Wireshark to Examine a UDP DNS Capture

Computer Networks Security: intro. CS Computer Systems Security

EE 610 Part 2: Encapsulation and network utilities

K2289: Using advanced tcpdump filters

Lab - Using Wireshark to Examine a UDP DNS Capture

Sirindhorn International Institute of Technology Thammasat University

Layered Networking and Port Scanning

Lab Exercise Protocol Layers

Packet Header Formats

ECE4110 Internetwork Programming. Introduction and Overview

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

ECE 358 Project 3 Encapsulation and Network Utilities

CSCI-GA Operating Systems. Networking. Hubertus Franke

Packet Tracer - Investigating the TCP/IP and OSI Models in Action (Instructor Version Optional Packet Tracer)

IP - The Internet Protocol. Based on the slides of Dr. Jorg Liebeherr, University of Virginia

Lab Assignment for Chapter 1

Module : ServerIron ADX Packet Capture

To see the details of TCP (Transmission Control Protocol). TCP is the main transport layer protocol used in the Internet.

CCNA Semester 1 labs. Part 2 of 2 Labs for chapters 8 11

Interconnecting Networks with TCP/IP. 2000, Cisco Systems, Inc. 8-1

Interconnecting Networks with TCP/IP

ITTC Communication Networks Laboratory The University of Kansas EECS 563 Introduction to Protocol Analysis with Wireshark

Packet Capture & Wireshark. Fakrul Alam

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

TCP/IP Transport Layer Protocols, TCP and UDP

Laboratory Manual for CENG460 Communications Networks

Introduction to Wireshark

Wireshark- Looking into the Packet. Henry A. McKelvey, MIS. Blacks in Technology

CNT5505 Programming Assignment No. 4: Internet Packet Analyzer (This is an individual assignment. It must be implemented in C++ or C)

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Question Score 1 / 19 2 / 19 3 / 16 4 / 29 5 / 17 Total / 100

Lab I: Using tcpdump and Wireshark

CCNA 1 Chapter 7 v5.0 Exam Answers 2013

Computer Networks A Simple Network Analyzer Decoding Ethernet and IP headers

network security s642 computer security adam everspaugh

SC/CSE 3213 Winter Sebastian Magierowski York University CSE 3213, W13 L8: TCP/IP. Outline. Forwarding over network and data link layers

Objectives: (1) To learn to capture and analyze packets using wireshark. (2) To learn how protocols and layering are represented in packets.

Use of the TCP/IP Protocols and the OSI Model in Packet Tracer

NETWORK PACKET ANALYSIS PROGRAM

InDepth A Guided Tour of Ethereal

Internet. Organization Addresses TCP/IP Protocol stack Forwarding. 1. Use of a globally unique address space based on Internet Addresses

I'IHITIIBIFI UI'IIVERSITY

Wireshark Lab: Getting Started v6.0

Sirindhorn International Institute of Technology Thammasat University

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

McGraw-Hill The McGraw-Hill Companies, Inc., 2000

Network and Security: Introduction

Paper solution Subject: Computer Networks (TE Computer pattern) Marks : 30 Date: 5/2/2015

Lecture 18 Overview. Last Lecture. This Lecture. Next Lecture. Internet Protocol (1) Internet Protocol (2)

TCP/IP THE TCP/IP ARCHITECTURE

Introduction to Network. Topics

M2-R4: INTERNET TECHNOLOGY AND WEB DESIGN

ch02 True/False Indicate whether the statement is true or false.

CS 356 Lab #1: Basic LAN Setup & Packet capture/analysis using Ethereal

CIT 380: Securing Computer Systems. Network Security Concepts

Cisco Cisco Certified Network Associate (CCNA)

Chapter 2 Communicating Over the Network

Networking Fundamentals

Chapter 5 OSI Network Layer

Just enough TCP/IP. Protocol Overview. Connection Types in TCP/IP. Control Mechanisms. Borrowed from my ITS475/575 class the ITL

CHAPTER-2 IP CONCEPTS

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

This tutorial will help you in understanding IPv4 and its associated terminologies along with appropriate references and examples.

Wireshark Lab: Getting Started v7.0

Packet Analysis - Wireshark

Transcription:

Experiment 2: Wireshark as a Network Protocol Analyzer Learning Objectives: To become familiarized with the Wireshark application environment To perform basic PDU capture using Wireshark To perform basic PDU analysis To experiment with Wireshark features and options such as PDU capture, display filtering and following TCP streams To define the purpose of network protocol analyzers, such as Wireshark Background Wireshark is a software protocol analyzer, or "packet sniffer" application, used for network troubleshooting, analysis, software and protocol development, and education. Before June 2006, Wireshark was known as Ethereal. It has a rich and powerful feature set and runs on most computing platforms including Windows, OS X, Linux, and UNIX. Network professionals, security experts, developers, and educators around the world use it regularly. It is freely available as open source, and is released under the GNU General Public License version 2.

Wireshark can read live data from Ethernet, Token-Ring, FDDI, serial (PPP and SLIP) (if the OS on which it's running allows Wireshark to do so), 802.11 wireless LAN (if the OS on which it's running allows Wireshark to do so), ATM connections (if the OS on which it's running allows Wireshark to do so), and the "any" device supported on Linux by recent versions of libpcap. While some people use the advantage of Wireshark for network monitoring, others use Wireshark to capture and analyze telnet and FTP logins and passwords, web traffic, including mail transactions to steal private passwords and personal information from the internet. For security and safety reasons, it is strictly advised that Wireshark should be used responsibly. For further information and software download, visit http://www.wireshark.org For more network security concerns, visit http://www.cromwell-intl.com/security/monitoring.html

PART 1: Wireshark Environment To capture Protocol Data Units (PDUs), the computer on which Wireshark is installed must have an active connection to a network. Wireshark must be running before any data can be captured. Open Wireshark application. As the Wireshark is launched, a window similar to the one shown below is displayed. Explore the Wireshark Environment and answer the following questions: What selection in the Menu Bar enables one to open and merge capture files, save/print/export capture files in whole or in part, and to quit from Wireshark?

What selection in the Menu Bar contains items to find a packet, time reference or mark one or more packets, and set your preferences? What selection in the Menu Bar allows one to start and stop captures and to edit capture filters? What selection in the Menu Bar contains menu-items to display various statistic windows, including a summary of the packets that have been captured, including display protocol hierarchy statistics? What selection in the Menu Bar contains items to help the user, like access to some basic help, a list of supported protocols, manual pages, online access to some of the webpages, and the usual about dialog?

Draw five buttons present on the Wireshark toolbar and define its functions by having the mouse pointer positioned over the button for a period of time: Toolbar Function

PART II: PDU Capture To start PDU capture, go to Capture on the Menu bar and select Options. The Capture Options dialog box provides a range of settings and filters which determines which and how much data traffic is captured.

First, it is necessary to ensure that Wireshark is set to monitor the correct interface. From the Interface drop down list, select the network adapter in use. Typically, a computer would be connected to an Ethernet Adapter. Among those settings available in the Capture Options dialog box, the two selections encircled below are worth examining.

Setting Wireshark to capture packets in promiscuous mode: If this feature is NOT checked, only PDUs destined for this computer will be captured. If this feature is checked, all PDUs destined for this computer AND all those detected by the computer NIC on the same network segment are captured. NOTE: The capturing of these other PDUs depends on the intermediary device connecting the end device computers on the network. As one implement different intermediary devices (hub, switches and routers), different Wireshark results are obtained. Should Wireshark be set into promiscuous mode when analyzing one s own network traffic? Why? What do you think would be the drawback of having Wireshark in promiscuous mode when analyzing one s own network traffic?

Setting Wireshark for network name resolution: This option allows one to control whether or not Wireshark translates network addresses found in PDUs into names. Although this is a useful feature, the name resolution process may add extra PDUs the captured data, perhaps distorting the analysis. There are also a number of other capture filtering process settings available under the Wireshark: Capture Options. Make sure that the Capture packets in promiscuous mode and Hide capture info dialog options are unchecked. Begin Capture Process: To start data capture process, click the Start button on the Wireshark: Capture Options window. This would show a Capture Information Dialog, and the Main Display Window would then be divided into different panes similar to the window shown below shown below:

When the Stop button is clicked, the capture process is terminated, and the main screen is displayed. This Main Display Window of Wireshark has three panes.

You may explore these three panes later. Each line in the Packet List corresponds to one PDU or packet of the captured data. If you select a line in this pane, more details will be displayed in the Packet Details and Packet Bytes panes. The example above shows the PDUs captured when the ping utility was used and http:// www.yahoo.com was accessed. Packet number 1 is selected in this pane. The Packet Details pane shows the protocols and protocol fields of the selected packet. The protocols and fields of the packet are displayed using a tree, which can be expanded and collapsed.

The Packet Bytes pane shows the data of the current packet in what is known as hexdump style. When a more in-depth analysis is required, this displayed information is useful for examining the binary values and content of PDUs. The data PDU capture information can be saved in a file. This file can be opened in Wireshark for future analysis without the need to recapture the same data traffic again. When closing a data capture screen or exiting Wireshark, you are prompted to save the captured PDUs, similar to the image shown below: Clicking on Continue without Saving closes the file or exits Wireshark without saving the displayed captured data. PART III: Analyzing Sample PDU Captures A. Ping PDU Capture Note: Your instructor will be providing a sample Wireshark capture of a Ping PDU. Analyze the file to answer the following questions:

Step 1: Examine the Packet List pane. The Packet List pane on Wireshark should now look something like this: Look at the packets listed above; we are interested in packet numbers 6, 7, 8, 9, 11, 12, 14 and 15. From the Wireshark Packet List answer the following: What protocol is used by ping? Do not give your answer in acronym form. What are the names of the two ping messages?

Step 2: Select (highlight) the first echo request packet on the list with the mouse. The Packet Detail pane will now display something similar to: Click on each of the four "+" to expand the information. The packet Detail Pane will now be similar to: As you can see, the details for each section and protocol can be expanded further. Spend some time scrolling through this information. At this stage of this experiment, you may not fully understand the information displayed but make a note of the information you do recognize.

As you select a line in the Packets Detail pane all or part of the information in the Packet Bytes pane also becomes highlighted. For example, if the second line (+ Ethernet II) is highlighted in the Details pane the Bytes pane now highlights the corresponding values. This shows the particular binary values that represent that information in the PDU. At this stage of the course, it is not necessary to understand this information in detail. Locate the two different types of 'Source" and "Destination". What do these addresses refer to?

Analyze the frames with the first echo request and echo reply and complete the table below. Frame Number Source IP Address Destination IP Address ICMP Type value ICMP Code value Source Ethernet Address Destination Ethernet Address Internet Protocol version Time to Live (TTL) value First Echo Request First Echo Reply B. HTTP PDU Capture Note: Your instructor will be providing a sample Wireshark capture of a Ping PDU. Analyze the file to answer the following questions: The sample captured file shows the interaction of a host device accessing a website with a web browser. What do you think is the name of the web site accessed by the host? What protocol was used in resolving the website name to a corresponding IP address by doing a standard name query?

Using Wireshark s Filter feature: When analyzing a capture file, one might prefer filtering the captured packets concerning specific protocols. Filtering of packets according to the protocols associated with them can be done using the Wireshark s Filter Toolbar. On the Filter Toolbar, type-in http and press Enter as shown below: The first frame shows the interaction of the host to the web server and the second frame shows the response of the server to the client. By analyzing the filtered frames, complete the table below: Frame Number Source port Destination port Source IP Address Destination IP Address Source Ethernet Address Destination Ethernet Address Host to Web Server Web Server to Host

Using Wireshark s Follow TCP Stream If you are working with TCP based protocols it can be very helpful to see the data from a TCP stream in the way that the application layer sees it. Perhaps you are looking for passwords in a Telnet stream, or you are trying to make sense of a data stream. Maybe you just need a display filter to show only the packets of that TCP stream. If so, Wireshark's ability to follow a TCP stream will be useful to you. Make sure the filter toolbar is blank. Right-click any packet inside the Packet List Pane, then select Follow TCP Stream. For the demonstration purposes, a packet containing the HTTP GET request GET / HTTP/1.1 was the one right-clicked below. (capture display may vary)

Upon Following a TCP Stream, a window similar to the one below is shown: The stream content is displayed in the same sequence as it appeared on the network. By default, traffic coming from source to destination is marked in red, while traffic coming from destination to source is marked in blue. One can change these colors in the Edit/Preferences Colors page. NOTE: The stream content won t be updated while doing a live capture. To get the latest content one shall have to reopen the dialog. Non-printable characters will be replaced by dots.

Choose frame 19, then click Follow TCP stream from the Analyze tab. Explore the Stream Content window and answer the following questions: Based on the color coding explained earlier, what color represents network traffic coming from your computer terminal by default? Based on the color coding explained earlier, what color represents network traffic coming from the web server? Based on the Stream Content obtained, what can be observed regarding the information highlighted in red? Based on the Stream Content obtained, what can be observed regarding the information highlighted in blue?

In the Packet List pane, highlight an HTTP packet that has the notation "(text/html)" in the Info column. In the Packet Detail pane click on the "+" next to "Line-based text data: html" When this information expands what is displayed? Under Follow TCP Stream, one can also choose to view the data in one of the following formats: ASCII In this view you see the data from each direction in ASCII. EBCDIC For viewing IBM codes representing characters as numbers. This allows you to see all the data. This will HEX Dump require a lot of screen space and is best used with binary protocols. C Arrays This allows you to import the stream data into your own C program. This allows you to load the unaltered stream data into a different program for further Raw examination. The display will look the same as the ASCII setting, but "Save As" will result in a binary file.

Which format is best for viewing ASCII based protocols such as HTTP? Would the Raw format have the same display with the ASCII format? If the Raw format would look just the same as in ASCII format, then what would be the difference in using the Raw format? PART IV: Experimenting with Wireshark Setup a simple switched network of 3 PCs with one PC acting as web server. Your instructor will assign the IP addresses for PCs and web server. Set the Capture Options as described above in the overview. On the address bar of the client hosts, input the IP address of the web server on a browser and start the capture process. Outcome: Save an expanded Ethernet frame (http) to a text file and print out the file. This Ethernet frame can include: Ethernet frame IP packet TCP/UDP header Application header and/or Data To save the Ethernet frames to a text file, choose File >> Export >> File..

To save a single expanded frame/packet: File name: Be sure to use the file extension.txt Packet Range: Selected packet Click on Displayed (This will be the current frame/packet selected in the display) Packet Format: Be sure Packet Details is clicked (check in the box) Choose: All expanded Click Save

To save a range of expanded frame/packets: File name: Be sure to use the file extension.txt Packet Range: Range Click on Captured Range: First frame/packet last frame packet. (Example: 2-4) Packet Format: Be sure Packet Details is clicked (check in the box) Choose: All expanded Click Save

Sample Output No. Time Source Destination Protocol Info 2 0.344369 192.168.1.101 207.62.187.7 TCP 49323 > http [SYN] Seq=498698563 Len=0 MSS=1460 WS=2 Frame 2 (66 bytes on wire, 66 bytes captured) Arrival Time: Mar 1, 2008 14:11:23.257549000 [Time delta from previous captured frame: 0.344369000 seconds] [Time delta from previous displayed frame: 0.344369000 seconds] [Time since reference or first frame: 0.344369000 seconds] Frame Number: 2 Frame Length: 66 bytes Capture Length: 66 bytes [Frame is marked: False] [Protocols in frame: eth:ip:tcp] [Coloring Rule Name: HTTP] [Coloring Rule String: http tcp.port == 80] Ethernet II, Src: QuantaCo_04:a2:1e (00:1b:24:04:a2:1e), Dst: Cisco-Li_09:4e:0f (00:0f:66:09:4e:0f) Destination: Cisco-Li_09:4e:0f (00:0f:66:09:4e:0f) Address: Cisco-Li_09:4e:0f (00:0f:66:09:4e:0f)......0............ = IG bit: Individual address (unicast).....0............. = LG bit: Globally unique address (factory default) Source: QuantaCo_04:a2:1e (00:1b:24:04:a2:1e) Address: QuantaCo_04:a2:1e (00:1b:24:04:a2:1e)......0............ = IG bit: Individual address (unicast).....0............. = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol, Src: 192.168.1.101 (192.168.1.101), Dst: 207.62.187.7 (207.62.187.7) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00).....0. = ECN-Capable Transport (ECT): 0......0 = ECN-CE: 0 Total Length: 52 Identification: 0x0a6b (2667) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set.1.. = Don't fragment: Set..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (0x06) Header checksum: 0xa405 [correct] [Good: True] [Bad : False] Source: 192.168.1.101 (192.168.1.101) Destination: 207.62.187.7 (207.62.187.7) Transmission Control Protocol, Src Port: 49323 (49323), Dst Port: http (80), Seq: 498698563, Len: 0 Source port: 49323 (49323) Destination port: http (80) Sequence number: 498698563 Header length: 32 bytes Flags: 0x02 (SYN) 0...... = Congestion Window Reduced (CWR): Not set.0..... = ECN-Echo: Not set..0.... = Urgent: Not set...0... = Acknowledgment: Not set... 0... = Push: Not set....0.. = Reset: Not set.....1. = Syn: Set......0 = Fin: Not set Window size: 8192 Checksum: 0x9aca [correct] [Good Checksum: True] [Bad Checksum: False] Options: (12 bytes) Maximum segment size: 1460 bytes NOP Window scale: 2 (multiply by 4)

NOP NOP SACK permitted

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback